Vulnerable Out of the Box - The Problem With Plug-Ins

Tuesday, November 16, 2010

Rafal Los


As I was digging through my cache of old white papers, industry reading material and other such things on a plane ride recently (and I do a lot of those these days), I stumbled upon the "Invisible Things - Quest to the Core" presentation. 

If you've not seen or read it - it's scary research and proofs coming from some of my fellow Polish researchers! 

Anyway... slide 18 of 209 just caught me for a moment... it was a screen capture of a ZDNet article Ryan Naraine had written on September 2nd, 2009 titled "Snow Leopard ships with vulnerable Flash Player". I just sort of sat there for a moment... and contemplated.

How is that different today? Of course, nearly every machine today that ships with Adobe Flash player (not that I'm interested in picking on Adobe here) has a "vulnerable flash player" installed.

Given how often this plug-in gets 0day headlines, it's a wonder any computer vendors would package the player in "out of the box" for fear of shipping a vulnerable version.

Of course, the reaction is then to simply not ship Flash Player by default... thus decreasing the likelihood of shipping it with that particular vulnerability - but then the user has to go get it themselves... possibly getting it from a site that's distributing *malware* instead of Flash!

I've thought about this for a moment, and have an alternative which I think would work.  I can't remember who put this idea in my head so I'm failing to give someone credit and I apologize - but WHAT IF computers came shipped with *nothing* except a bare-bones OS by default?

What if on the first boot you had to be connected to the Internet, and your computer would then connect to a *trusted site* over a *secure channel* (I'm thinking SSL auth & encrypt here, bi-directionally) - then pull down all the software you'd need from a single vendor-supplied distribution point? 

This would both ensure that the software you're getting when you power your computer on is both timely, updated, and from a trusted source.

Interesting idea, isn't it?  What do you think, would this work?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Encryption SSL Software Plug-Ins
Post Rating I Like this!
Ray Tan Interesting idea.
However, we need to install kinds of programs on our computers, and not every website of the vendor are secured properly.
It is hard to distinguish them from malicious websites, indeed.
Rafal Los Ray- Your response is sound. My proposal is at least one means forward... right now what we have is not acceptable, so we have to do something ...right?
Ray Tan @Rafal,
Yes,we do need to optimize our current ways.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.